diff --git a/docs/iam/umn/ALL_META.TXT.json b/docs/iam/umn/ALL_META.TXT.json index 3958b334d..6608b7314 100644 --- a/docs/iam/umn/ALL_META.TXT.json +++ b/docs/iam/umn/ALL_META.TXT.json @@ -80,7 +80,7 @@ "githuburl":"" }, { - "uri":"iam_01_0029.html", + "uri":"iam_07_0002.html", "product_code":"iam", "code":"9", "des":"For security purposes, create a security administrator and manage users in your account as the security administrator.Programmatic access: Users can access cloud services", @@ -380,7 +380,7 @@ "githuburl":"" }, { - "uri":"iam_07_0002.html", + "uri":"iam_01_0029.html", "product_code":"iam", "code":"39", "des":"Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the ", @@ -525,7 +525,7 @@ "code":"53", "des":"The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise manage", "doc_type":"usermanual", - "kw":"identity federation,Identity federation,Introduction,Identity Providers,User Guide", + "kw":"identity federation,Introduction,Identity Providers,User Guide", "title":"Introduction", "githuburl":"" }, @@ -603,7 +603,7 @@ "uri":"iam_08_0005.html", "product_code":"iam", "code":"61", - "des":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", "kw":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP,Virtual User SSO via SAML", "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", @@ -673,7 +673,7 @@ "uri":"iam_08_0259.html", "product_code":"iam", "code":"68", - "des":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", "kw":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP,IAM User SSO via SAML,Use", "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", @@ -723,7 +723,7 @@ "uri":"iam_08_0007.html", "product_code":"iam", "code":"73", - "des":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "des":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "doc_type":"usermanual", "kw":"(Optional) Step 3: Configure Login Link in the Enterprise Management System,Virtual User SSO via Ope", "title":"(Optional) Step 3: Configure Login Link in the Enterprise Management System", diff --git a/docs/iam/umn/CLASS.TXT.json b/docs/iam/umn/CLASS.TXT.json index 5ada8fe7c..129937d4a 100644 --- a/docs/iam/umn/CLASS.TXT.json +++ b/docs/iam/umn/CLASS.TXT.json @@ -75,7 +75,7 @@ "desc":"For security purposes, create a security administrator and manage users in your account as the security administrator.Programmatic access: Users can access cloud services", "product_code":"iam", "title":"Creating a Security Administrator", - "uri":"iam_01_0029.html", + "uri":"iam_07_0002.html", "doc_type":"usermanual", "p_code":"7", "code":"9" @@ -345,7 +345,7 @@ "desc":"Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the ", "product_code":"iam", "title":"Critical Operation Protection", - "uri":"iam_07_0002.html", + "uri":"iam_01_0029.html", "doc_type":"usermanual", "p_code":"36", "code":"39" @@ -540,7 +540,7 @@ "code":"60" }, { - "desc":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", "uri":"iam_08_0005.html", @@ -603,7 +603,7 @@ "code":"67" }, { - "desc":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", "title":"(Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP", "uri":"iam_08_0259.html", @@ -648,7 +648,7 @@ "code":"72" }, { - "desc":"Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.An IdP entity has been created on the c", + "desc":"Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.An IdP entity has been created on the", "product_code":"iam", "title":"(Optional) Step 3: Configure Login Link in the Enterprise Management System", "uri":"iam_08_0007.html", diff --git a/docs/iam/umn/en-us_image_0000001606753690.png b/docs/iam/umn/en-us_image_0000001606753690.png index 5931a1456..6a3b52524 100644 Binary files a/docs/iam/umn/en-us_image_0000001606753690.png and b/docs/iam/umn/en-us_image_0000001606753690.png differ diff --git a/docs/iam/umn/en-us_image_0000001607216988.png b/docs/iam/umn/en-us_image_0000001607216988.png index 5931a1456..6a3b52524 100644 Binary files a/docs/iam/umn/en-us_image_0000001607216988.png and b/docs/iam/umn/en-us_image_0000001607216988.png differ diff --git a/docs/iam/umn/en-us_topic_0046611300.html b/docs/iam/umn/en-us_topic_0046611300.html index f1e62d452..52fa48ef6 100644 --- a/docs/iam/umn/en-us_topic_0046611300.html +++ b/docs/iam/umn/en-us_topic_0046611300.html @@ -11,7 +11,7 @@

2023-07-20

This release incorporates the following changes:

- +

2023-07-10

@@ -29,7 +29,7 @@

2023-04-04

This release incorporates the following changes:

- +

2023-02-21

@@ -147,7 +147,7 @@

2018-06-29

This release incorporates the following changes:

-

Added description about the Require Password Reset option in sections Creating a Security Administrator, Creating a User and Adding the User to a User Group, Creating a User, and Viewing and Modifying User Information.

+

Added description about the Require Password Reset option in sections Creating a Security Administrator, Creating a User and Adding the User to a User Group, Creating a User, and Viewing and Modifying User Information.

2018-05-10

diff --git a/docs/iam/umn/en-us_topic_0046611308.html b/docs/iam/umn/en-us_topic_0046611308.html index 5edc888e6..f6b9af14e 100644 --- a/docs/iam/umn/en-us_topic_0046611308.html +++ b/docs/iam/umn/en-us_topic_0046611308.html @@ -11,7 +11,7 @@
  • Basic Information
    • -
  • Critical Operation Protection
    +
  • Critical Operation Protection
  • Login Authentication Policy
    • diff --git a/docs/iam/umn/en-us_topic_0046613147.html b/docs/iam/umn/en-us_topic_0046613147.html index d93957263..25d2a6d16 100644 --- a/docs/iam/umn/en-us_topic_0046613147.html +++ b/docs/iam/umn/en-us_topic_0046613147.html @@ -5,7 +5,7 @@

    Prerequisites

    Before creating an agency, complete the following operations:

    -

    Procedure

    1. Log in to the .
    2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.

      Figure 1 Creating an agency
      +

      Procedure

      1. Log in to the IAM console.
      2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency in the upper right corner.

        Figure 1 Creating an agency

      3. Enter an agency name.

        Figure 2 Setting the agency name

      4. Specify the agency type as Account, and enter the name of a delegated account.

        • Account: Share resources with another account or delegate an individual or team to manage your resources. The delegated account can only be an account, rather than an IAM user or a federated user.
        • Cloud service: Delegate a specific service to access other services. For more information, see Cloud Service Delegation.
        diff --git a/docs/iam/umn/en-us_topic_0079620341.html b/docs/iam/umn/en-us_topic_0079620341.html index 906eed34f..28abdcc0d 100644 --- a/docs/iam/umn/en-us_topic_0079620341.html +++ b/docs/iam/umn/en-us_topic_0079620341.html @@ -2,28 +2,65 @@

        Introduction

        The cloud platform provides identity federation based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your enterprise management system to access through single sign-on (SSO).

        -

        Basic Concepts

        • Identity Provider (IdP)

          An IdP collects and stores user identity information, such as usernames and passwords, and authenticates users during login. For identity federation between an enterprise and the cloud platform, the identity authentication system of the enterprise is an identity provider and is also called "enterprise IdP". Popular third-party IdPs include Microsoft Active Directory Federation Services (AD FS) and Shibboleth.

          -
        • Service Provider (SP)

          A service provider establishes a trust relationship between an IdP and itself, and uses the user information provided by the IdP to provide services. For identity federation between an enterprise and the cloud platform, the cloud platform is a service provider.

          -
        • Identity federation

          Identity federation is a process in which a trust relationship is established between an IdP and SP to implement SSO.

          -
        • Single sign-on (SSO)

          SSO is an access type that allows users to access a trusted SP after logging in to the enterprise IdP. For example, after a trust relationship is established between an enterprise management system and the cloud platform, users in the enterprise management system can use their existing accounts and passwords to access the cloud platform through the login link in the enterprise management system. The cloud platform supports two SSO types: virtual user and IAM user.

          -
        • SAML 2.0

          SAML 2.0 is an XML-based protocol that uses securityTokens containing assertions to pass information about an end user between an IdP and an SP. It is an open standard ratified by the Organization for the Advancement of Structured Information Standards (OASIS) and is being used by many IdPs. For more information about this standard, see SAML 2.0 Technical Overview. The cloud platform implements identity federation in compliance with SAML 2.0. To successfully federate existing users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.

          -
        • OpenID Connect

          OpenID Connect is a simple identity layer on top of the Open Authorization 2.0 (OAuth 2.0) protocol. IAM implements identity federation in compliance with OpenID Connect 1.0. To successfully federate existing users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.

          -
        • OAuth 2.0

          OAuth 2.0 is an open authorization protocol. The authorization framework of this protocol allows third-party applications to obtain access permissions.

          -
        +

        Basic Concepts

        +
        + + + + + + + + + + + + + + + + + + + + + + + + + +
        Table 1 Basic concepts

        Concept

        +

        Description

        +

        Identity provider (IdP)

        +

        An IdP collects and stores user identity information, such as usernames and passwords, and authenticates users during login. For identity federation between an enterprise and the cloud platform, the identity authentication system of the enterprise is an identity provider and is also called "enterprise IdP". Popular third-party IdPs include Microsoft Active Directory Federation Services (AD FS) and Shibboleth.

        +

        Service Provider (SP)

        +

        A service provider establishes a trust relationship with an IdP and provides services based on the user information provided by the IdP. For identity federation between an enterprise and the cloud platform, the cloud platform is a service provider.

        +

        Identity federation

        +

        Identity federation is the process of establishing a trust relationship between an IdP and SP to implement SSO.

        +

        Single sign-on (SSO)

        +

        SSO allows users to access a trusted SP after logging in to the enterprise IdP. For example, after a trust relationship is established between an enterprise management system and the cloud platform, users in the enterprise management system can use their existing accounts and passwords to access the cloud platform through the login link in the enterprise management system. The cloud platform supports two SSO types: virtual user SSO and IAM user SSO.

        +

        SAML 2.0

        +

        SAML 2.0 is an XML-based protocol that uses securityTokens containing assertions to pass information about an end user between an IdP and an SP. It is an open standard ratified by the Organization for the Advancement of Structured Information Standards (OASIS) and is being used by many IdPs. For more information about this standard, see SAML 2.0 Technical Overview. The cloud platform implements identity federation in compliance with SAML 2.0. To successfully federate users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.

        +

        OpenID Connect

        +

        OpenID Connect is a simple identity layer on top of the Open Authorization 2.0 (OAuth 2.0) protocol. IAM implements identity federation in compliance with OpenID Connect 1.0. To successfully federate users to the cloud platform, ensure that your enterprise IdP is compatible with this protocol.

        +

        OAuth 2.0

        +

        OAuth 2.0 is an open authorization protocol. The authorization framework of this protocol allows third-party applications to obtain access permissions.

        +
        +

        Advantages of Identity Federation

        • Easy identity management

          As an administrator, you only need to create accounts for your employees in your enterprise management system. The employees can use their own accounts to access both the enterprise management system and the cloud platform.

        • Simplified operations

          Employees can log in to the cloud platform from the enterprise management system.

          Figure 1 Advantages of identity federation
        -

        SSO Type

        IAM supports two SSO types: virtual user and IAM user. For details about how to choose an SSO type, see Application Scenarios of Virtual User SSO and IAM User SSO.

        -
        • Virtual user

          After a federated user logs in to the cloud platform, the system automatically creates a virtual user and grants access permissions to the virtual user based on the configured identity conversion rules.

          -
        • IAM user

          After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user.

          +

          SSO Type

          IAM supports two SSO types: virtual user SSO and IAM user SSO. For details about how to choose an SSO type, see Application Scenarios of Virtual User SSO and IAM User SSO.

          +
          • Virtual user SSO

            After a federated user logs in to the cloud platform, the system automatically creates a virtual user and grants access permissions to the virtual user based on the configured identity conversion rules.

            +
          • IAM user SSO

            After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user.

          Currently, IAM supports two federated login methods: browser-based SSO (web SSO) and SSO via API calling.

          • Web SSO: Browsers are used as the communication media. This authentication type enables common users to access the cloud platform using browsers.
          • SSO via API calling: Enterprise employees call APIs using development tools (such as OpenStack Client and ShibbolethECP Client) to access the cloud platform.
          -
          Table 1 Federated logins

          SSO Type

          +
          @@ -73,7 +110,7 @@
          Table 2 Federated logins

          SSO Type

          Supported Protocols

          -

          Precautions

          • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
          • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following restrictions:
            • Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
            • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and securityTokens) using user or agency tokens.

              If a federated user needs an access key with unlimited validity, the user can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

              +

              Precautions

              • Ensure that your enterprise IdP server and the cloud platform use Greenwich Mean Time (GMT) time in the same time zone.
              • The identity information (such as email address or mobile number) of federated users is stored in the enterprise IdP. Federated users are mapped to the cloud platform as virtual identities, so their access to the cloud platform has the following restrictions:
                • Federated users do not need to perform a 2-step verification when performing critical operations even though critical operation protection (login protection or operation protection) is enabled.
                • Federated users cannot create access keys with unlimited validity, but they can obtain temporary access credentials (access keys and securityTokens) using user or agency tokens.

                  If a federated user needs an access key with unlimited validity, they can contact the account administrator or an IAM user to create one. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

              diff --git a/docs/iam/umn/iam_01_0027.html b/docs/iam/umn/iam_01_0027.html index 7ac43d15b..4e8bab21d 100644 --- a/docs/iam/umn/iam_01_0027.html +++ b/docs/iam/umn/iam_01_0027.html @@ -6,7 +6,7 @@
              • Getting Started with IAM
                • -
              • Creating a Security Administrator
                +
              • Creating a Security Administrator
              • Creating a User Group and Assigning Permissions
                • diff --git a/docs/iam/umn/iam_01_0029.html b/docs/iam/umn/iam_01_0029.html index 11363896b..7dddd88fb 100644 --- a/docs/iam/umn/iam_01_0029.html +++ b/docs/iam/umn/iam_01_0029.html @@ -1,95 +1,171 @@ -

                Creating a Security Administrator

                -

                For security purposes, create a security administrator and manage users in your account as the security administrator.

                -

                Procedure

                1. Choose Management & Deployment > Identity and Access Management.
                2. In the navigation pane, choose Users.
                3. On the Users page, click Create User.
                4. Specify the user information on the Create User page.

                  -

                  - - - - - - - - - - - - - - - - - - - -

                  Parameter

                  -

                  Description

                  -

                  Username

                  -

                  Username that will be used to log in to the cloud platform, for example, Franklin. This field is required.

                  -

                  Email Address

                  -

                  Email address of the user that can be used as a login credential. Users can bind an email address after they are created. This field is required if you have specified Set by user as the access type.

                  -

                  Mobile Number

                  -

                  Mobile phone number of the user that can be used as a login credential. Users can bind a mobile number after they are created. This field is optional.

                  -

                  Description

                  -

                  Additional information about the user. This field is optional.

                  -

                  External Identity ID

                  -

                  Identity of an enterprise user in IAM user SSO.

                  -

                  This parameter (no more than 128 characters) is mandatory for IAM user SSO. For details, see IAM User SSO via SAML

                  -
                  -
                  -

                5. Specify the access type as Management console access and click Next.

                  -

                  - - - - - - - - - - - - - - - - - - - - - - - -

                  Access Type

                  -

                  Configuration

                  -

                  Description

                  -

                  Management console access

                  -

                  Console Password

                  -

                  Set by user

                  -

                  If you are the administrator setting the password for user Franklin, select this option and enter an email address and a mobile number. User Franklin can then set a password by clicking the one-time login URL sent over email.

                  -

                  Automatically generated

                  -

                  This option is available only when you create a single user.

                  -

                  Set now

                  -

                  Select this option if you are user Franklin. Then, set a password for login.

                  -

                  Login Protection

                  -

                  Enable

                  -

                  If login protection is enabled, user Bob will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

                  -

                  You can choose from SMS-, email-, and virtual MFA–based login verification.

                  -

                  Disable

                  -

                  For this example, disable login protection.

                  -
                  -
                  -

                  Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.

                  + + + +

                  Critical Operation Protection

                  +

                  Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

                  +

                  Federated users do not need to verify their identity when performing critical operations.

                  -

                6. Click Next. A page is displayed for you to select a user group.
                7. Select the admin user group.
                8. Click Create.
                +

                Virtual MFA Device

                An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported, and they are application programs running on smart devices such as mobile phones.

                +

                This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see MFA Authentication and Virtual MFA Device.

                +

                Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.

                +
                +
                1. Go to the Security Settings page.
                2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
                3. Set up the MFA application by scanning the QR code or manually entering the secret key.

                  You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

                  +
                  • Scanning the QR code

                    Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Bind Virtual MFA Device page. Your account or IAM user is then added to the application.

                    +
                  • Manually entering the secret key

                    Open the MFA application on your mobile phone, and enter the secret key.

                    +

                    Your account is manually added using the time-based algorithm. Ensure that automatic time setting has been enabled on your mobile phone.

                    +
                    +
                  +

                4. View the verification codes on the MFA application. The code is automatically updated every 30 seconds.
                5. On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
                +
                +

                Login Protection

                After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

                +

                For the account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.

                +
                • (Administrator) Enabling login protection for an IAM user

                  To enable login protection for an IAM user, go to the Users page and choose More > Security Settings in the row that contains the IAM user. In the Login Protection area on the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device.

                  +
                • Enabling login protection for your account

                  To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification codes, and click OK.

                  +
                +
                +

                Operation Protection

                • Enabling operation protection

                  After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.

                  +

                  The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.

                  +
                +
                1. Go to the Security Settings page.
                2. On the Critical Operations tab, locate the Operation Protection row and click Enable.
                3. Select Enable and then select Self-verification or Verification by another person.

                  If you select Verification by another person, an identity verification is required to ensure that this verification method is available.

                  +
                  • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
                  • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification are supported.
                  +
                  +

                4. Click OK.
                +
                • Disabling operation protection
                +

                If operation protection is disabled, you and IAM users created using your account do not need to enter a verification code when performing a critical operation.

                +
                1. Go to the Security Settings page.
                2. On the Critical Operations tab, locate the Operation Protection row and click Change.
                3. Select Disable and click OK.
                4. Enter a verification code.

                  • Self-verification: The administrator who wants to disable operation protection completes the verification. SMS, email, and virtual MFA verification are supported.
                  • Verification by another person: The specified person completes the verification. Only SMS and email verification are supported.
                  +

                5. Click OK.
                +
                • Each cloud service defines its own critical operations.
                • When IAM users created using your account perform a critical operation, they will be prompted to choose a verification method from email, SMS, and virtual MFA device.
                  • If a user is only associated with a mobile number, only SMS verification is available.
                  • If a user is only associated with an email address, only email verification is available.
                  • If a user is not associated with an email address, mobile number, or virtual MFA device, the user will need to associate at least one of them before the user can perform any critical operations.
                  +
                • You may not be able to receive email or SMS verification codes due to communication errors. In this case, you are advised to use a virtual MFA device for verification.
                • If operation protection is enabled, IAM users need to enter verification codes when performing a critical operation. The verification codes are sent to the mobile number or email address bound to the IAM users.
                +
                +
                +

                Access Key Management

                • Enabling access key management

                  After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.

                  +

                  To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                  +
                • Disabling access key management

                  After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.

                  +

                  To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                  +
                +
                +

                Information Self-Management

                • Enabling information self-management

                  By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.

                  +

                  To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable next to Information Self-Management. Select Enable, select the information types that IAM users can modify, and click OK.

                  +
                • Disabling information self-management

                  After you disable information self-management, only administrators can manage their own basic information. If IAM users need to modify their login password, mobile number, or email address, they can contact the administrator. For details, see Viewing and Modifying User Group Information.

                  +

                  To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.

                  +
                +
                +

                Critical Operations

                The following tables list the critical operations defined by each cloud service.

                + +
                + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                Table 1 Critical operations defined by cloud services

                Service Type

                +

                Service

                +

                Critical Operation

                +

                Compute

                +

                +

                Elastic Cloud Server (ECS)

                +
                • Stopping, restarting, or deleting an ECS
                • Resetting the password for logging in to an ECS
                • Detaching a disk
                • Unbinding an EIP
                +

                Bare Metal Server (BMS)

                +
                • Stopping or restarting a BMS
                • Resetting the BMS password
                • Detaching a disk
                • Unbinding an EIP
                +

                Auto Scaling (AS)

                +

                Deleting an AS group

                +

                Storage

                +

                Object Storage Service (OBS)

                +
                • Deleting a bucket
                • Creating, editing, or deleting a bucket policy
                • Configuring an object policy
                • Creating, editing, or deleting a bucket ACL
                • Configuring access logging
                • Configuring URL validation
                • Creating or editing a bucket inventory
                +

                Elastic Volume Service (EVS)

                +

                Deleting an EVS disk

                +

                Cloud Backup and Recovery (CBR)

                +
                • Deleting a vault
                • Deleting a backup
                • Restoring a backup
                • Deleting a policy
                • Dissociating a resource
                • Accepting a backup
                +

                Network

                +

                Domain Name Service (DNS)

                +
                • Modifying, disabling, or deleting a record set
                +

                Virtual Private Cloud (VPC)

                +
                • Releasing or unbinding an EIP
                • Deleting a VPC peering connection
                • Security group operations
                  • Deleting an inbound or outbound rule
                  • Modifying an inbound or outbound rule
                  • Deleting inbound or outbound rules
                  +
                +

                Elastic Load Balance (ELB)

                +
                • Classic load balancers
                  • Deleting a load balancer
                  • Deleting a listener
                  • Deleting a certificate
                  • Disabling a load balancer
                  +
                +
                • Shared load balancers
                  • Deleting a load balancer
                  • Deleting a listener
                  • Deleting a certificate
                  • Removing a backend server
                  • Unbinding an EIP
                  • Unbind a public or private IPv4 address
                  • Unbinding an IPv6 address
                  • Removing from IPv6 shared bandwidth
                  +
                +

                Elastic IP (EIP)

                +
                • Deleting a shared bandwidth
                • Releasing or unbinding an EIP
                • Releasing or unbinding EIPs
                +

                Management & Deployment

                +

                Identity and Access Management (IAM)

                +
                • Disabling operation protection
                • Disabling login protection
                • Changing the mobile number
                • Changing the email address
                • Changing the login password
                • Changing the login authentication method
                • Deleting an IAM user
                • Disabling an IAM user
                • Deleting an agency
                • Deleting a user group
                • Deleting a policy
                • Deleting permissions
                • Creating an access key
                • Deleting an access key
                • Disabling an access key
                • Deleting the project
                • Modifying the status of access key management
                +

                Application

                +

                Distributed Cache Service (DCS)

                +
                • Resetting the password of a DCS instance
                • Deleting a DCS instance
                • Clearing DCS instance data
                +

                Database

                +

                RDS for MySQL

                +
                • Resetting the administrator password
                • Deleting a DB instance
                • Deleting a database backup
                • Switching between primary and standby DB instances
                • Changing the database port
                • Deleting a database account
                • Deleting a database
                • Unbinding an EIP
                • Downloading a full backup
                +

                Databases

                +

                Document Database Service (DDS)

                +
                • Resetting the password
                • Restarting or deleting a DB instance
                • Restarting a node
                • Switching the primary and secondary nodes of a replica set
                • Deleting a security group rule
                • Enabling IP addresses of shard and config nodes
                • Restoring the current DB instance from a backup
                • Restoring an existing DB instance from a backup
                +
                +
                -
                Parent topic: Getting Started
                +
                Parent topic: Security Settings
                + + \ No newline at end of file diff --git a/docs/iam/umn/iam_01_0430.html b/docs/iam/umn/iam_01_0430.html index e0e21a4d7..0eb36277b 100644 --- a/docs/iam/umn/iam_01_0430.html +++ b/docs/iam/umn/iam_01_0430.html @@ -6,9 +6,9 @@

                Deleting a User Group

                Procedure

                To delete a user group, do the following:

                -
                1. Log in to the . In the navigation pane, choose User Groups.
                2. In the user group list, click Delete in the row that contains the user group to be deleted.
                3. In the displayed dialog box, click Yes.
                +
                1. Log in to the IAM console. In the navigation pane, choose User Groups.
                2. In the user group list, click Delete in the row that contains the user group to be deleted.
                3. In the displayed dialog box, click Yes.

                Batch Deleting User Groups

                To delete multiple user groups at a time, do the following:

                -
                1. Log in to the . In the navigation pane, choose User Groups.
                2. In the user group list, select the user groups to be deleted and click Delete above the list.
                3. In the displayed dialog box, click Yes.
                +
                1. Log in to the IAM console. In the navigation pane, choose User Groups.
                2. In the user group list, select the user groups to be deleted and click Delete above the list.
                3. In the displayed dialog box, click Yes.
                diff --git a/docs/iam/umn/iam_06_0004.html b/docs/iam/umn/iam_06_0004.html index 4847288e8..7349e5a5f 100644 --- a/docs/iam/umn/iam_06_0004.html +++ b/docs/iam/umn/iam_06_0004.html @@ -10,7 +10,7 @@
              • Automatically creating a cloud service agency to use certain resources

                The following takes Scalable File Service (SFS) as an example to describe the procedure for automatically creating a cloud service agency:

                1. Go to the SFS console.
                2. On the Create File System page, enable static data encryption.
                3. A dialog box is displayed requesting you to confirm the creation of an SFS agency. After you click OK, the system automatically creates an SFS agency with KMS CMKFullAccess permissions for the current project. With the agency, SFS can obtain KMS keys for encrypting or decrypting file systems.
                4. You can view the agency in the agency list on the IAM console.
                • -

                Creating a Cloud Service Agency on the IAM Console

                1. Log in to the .
                2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency.
                3. Enter an agency name.

                  Figure 1 Cloud service agency name
                  +

                  Creating a Cloud Service Agency on the IAM Console

                  1. Log in to the IAM console.
                  2. On the IAM console, choose Agencies from the navigation pane, and click Create Agency.
                  3. Enter an agency name.

                    Figure 1 Cloud service agency name

                  4. Select the Cloud service agency type, and then select a service.
                  5. Select a validity period.
                  6. (Optional) Enter a description for the agency to facilitate identification.
                  7. Click Next.
                  8. Select the permissions to be assigned to the agency, click Next, and specify the authorization scope.
                  9. Click OK.
                diff --git a/docs/iam/umn/iam_07_0001.html b/docs/iam/umn/iam_07_0001.html index cf3fea608..11738a488 100644 --- a/docs/iam/umn/iam_07_0001.html +++ b/docs/iam/umn/iam_07_0001.html @@ -4,7 +4,7 @@

                Security Settings Overview

                -

                You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.

                +

                You can configure the account settings, critical operation protection, login authentication policy, password policy, and access control list (ACL) on the Security Settings page. For details, see Basic Information, Critical Operation Protection, Login Authentication Policy, Password Policy, and ACL. This chapter describes how to access the Security Settings page and who is the intended audience.

                Intended Audience

                Table 1 lists the intended audience of different functions provided on the Security Settings page and their access permissions for the functions.

                - diff --git a/docs/iam/umn/iam_07_0002.html b/docs/iam/umn/iam_07_0002.html index e811d55b9..b03cc2f17 100644 --- a/docs/iam/umn/iam_07_0002.html +++ b/docs/iam/umn/iam_07_0002.html @@ -1,171 +1,95 @@ - - - -

                Critical Operation Protection

                -

                Only an administrator can configure critical operation protection, and IAM users can only view the configurations. If an IAM user needs to modify the configurations, the user can request the administrator to perform the modification or grant the required permissions.

                -

                Federated users do not need to verify their identity when performing critical operations.

                -
                -

                Virtual MFA Device

                An MFA device generates 6-digit verification codes in compliance with the Time-based One-time Password Algorithm (TOTP). MFA devices can be hardware- or software-based. Currently, only software-based virtual MFA devices are supported, and they are application programs running on smart devices such as mobile phones.

                -

                This section describes how to bind a virtual MFA device. If you have installed another MFA application, add a user by following the on-screen prompts. For details about how to bind or remove a virtual MFA device, see MFA Authentication and Virtual MFA Device.

                -

                Before binding a virtual MFA device, ensure that you have installed an MFA application on your mobile device.

                -
                -
                1. Go to the Security Settings page.
                2. Click the Critical Operations tab, and click Bind in the Virtual MFA Device row.
                3. Set up the MFA application by scanning the QR code or manually entering the secret key.

                  You can bind a virtual MFA device to your account by scanning the QR code or entering the secret key.

                  -
                  • Scanning the QR code

                    Open the MFA application on your mobile phone, and use the application to scan the QR code displayed on the Bind Virtual MFA Device page. Your account or IAM user is then added to the application.

                    -
                  • Manually entering the secret key

                    Open the MFA application on your mobile phone, and enter the secret key.

                    -

                    Your account is manually added using the time-based algorithm. Ensure that automatic time setting has been enabled on your mobile phone.

                    -
                    -
                  -

                4. View the verification codes on the MFA application. The code is automatically updated every 30 seconds.
                5. On the Bind Virtual MFA Device page, enter two consecutive verification codes and click OK.
                -
                -

                Login Protection

                After login protection is enabled, you and IAM users created using your account will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

                -

                For the account, only the account administrator can enable login protection for it. For IAM users, both the account administrator and other administrators can enable this feature for the users.

                -
                • (Administrator) Enabling login protection for an IAM user

                  To enable login protection for an IAM user, go to the Users page and choose More > Security Settings in the row that contains the IAM user. In the Login Protection area on the displayed Security Settings tab, click next to Verification Method, and select a verification method from SMS, email, or virtual MFA device.

                  -
                • Enabling login protection for your account

                  To enable login protection, click the Critical Operations tab on the Security Settings page, click Enable next to Login Protection, select a verification method, enter the verification codes, and click OK.

                  -
                -
                -

                Operation Protection

                • Enabling operation protection

                  After operation protection is enabled, you and IAM users created using your account need to enter a verification code when performing a critical operation, such as deleting an ECS. This function is enabled by default. To ensure resource security, keep it enabled.

                  -

                  The verification is valid for 15 minutes and you do not need to be verified again when performing critical operations within the validity period.

                  -
                -
                1. Go to the Security Settings page.
                2. On the Critical Operations tab, locate the Operation Protection row and click Enable.
                3. Select Enable and then select Self-verification or Verification by another person.

                  If you select Verification by another person, an identity verification is required to ensure that this verification method is available.

                  -
                  • Self-verification: You or IAM users themselves perform verification when performing a critical operation.
                  • Verification by another person: The specified person completes verification when you or IAM users perform a critical operation. Only SMS and email verification are supported.
                  -
                  -

                4. Click OK.
                -
                • Disabling operation protection
                -

                If operation protection is disabled, you and IAM users created using your account do not need to enter a verification code when performing a critical operation.

                -
                1. Go to the Security Settings page.
                2. On the Critical Operations tab, locate the Operation Protection row and click Change.
                3. Select Disable and click OK.
                4. Enter a verification code.

                  • Self-verification: The administrator who wants to disable operation protection completes the verification. SMS, email, and virtual MFA verification are supported.
                  • Verification by another person: The specified person completes the verification. Only SMS and email verification are supported.
                  -

                5. Click OK.
                -
                • Each cloud service defines its own critical operations.
                • When IAM users created using your account perform a critical operation, they will be prompted to choose a verification method from email, SMS, and virtual MFA device.
                  • If a user is only associated with a mobile number, only SMS verification is available.
                  • If a user is only associated with an email address, only email verification is available.
                  • If a user is not associated with an email address, mobile number, or virtual MFA device, the user will need to associate at least one of them before the user can perform any critical operations.
                  -
                • You may not be able to receive email or SMS verification codes due to communication errors. In this case, you are advised to use a virtual MFA device for verification.
                • If operation protection is enabled, IAM users need to enter verification codes when performing a critical operation. The verification codes are sent to the mobile number or email address bound to the IAM users.
                -
                -
                -

                Access Key Management

                • Enabling access key management

                  After access key management is enabled, only the administrator can create, enable, disable, or delete access keys of IAM users. This function is disabled by default. To ensure resource security, enable this function.

                  -

                  To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                  -
                • Disabling access key management

                  After access key management is disabled, all IAM users can create, enable, disable, or delete their own access keys.

                  -

                  To enable access key management, click the Critical Operations tab on the Security Settings page, and click in the Access Key Management row.

                  -
                -
                -

                Information Self-Management

                • Enabling information self-management

                  By default, information self-management is enabled, indicating that all IAM users can manage their own basic information (login password, mobile number, and email address). Determine whether to allow IAM users to manage their own information and what information they can modify.

                  -

                  To enable information self-management, click the Critical Operations tab on the Security Settings page, and click Enable next to Information Self-Management. Select Enable, select the information types that IAM users can modify, and click OK.

                  -
                • Disabling information self-management

                  After you disable information self-management, only administrators can manage their own basic information. If IAM users need to modify their login password, mobile number, or email address, they can contact the administrator. For details, see Viewing and Modifying User Group Information.

                  -

                  To disable information self-management, click the Critical Operations tab on the Security Settings page, and click Change in the Information Self-Management row. In the displayed pane, select Disable and click OK.

                  -
                -
                -

                Critical Operations

                The following tables list the critical operations defined by each cloud service.

                - -
                Table 1 Intended audience

                Function

                @@ -18,7 +18,7 @@

                IAM users: Full access

                Critical Operations

                +

                Critical Operations
                Table 1 Critical operations defined by cloud services

                Service Type

                +

                Creating a Security Administrator

                +

                For security purposes, create a security administrator and manage users in your account as the security administrator.

                +

                Procedure

                1. Choose Management & Deployment > Identity and Access Management.
                2. In the navigation pane, choose Users.
                3. On the Users page, click Create User.
                4. Specify the user information on the Create User page.

                  +

                  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                  Parameter

                  Service

                  -

                  Critical Operation

                  +

                  Description

                  Compute

                  -

                  +

                  Username

                  Elastic Cloud Server (ECS)

                  -
                  • Stopping, restarting, or deleting an ECS
                  • Resetting the password for logging in to an ECS
                  • Detaching a disk
                  • Unbinding an EIP
                  +

                  Username that will be used to log in to the cloud platform, for example, Franklin. This field is required.

                  Bare Metal Server (BMS)

                  +

                  Email Address

                  • Stopping or restarting a BMS
                  • Resetting the BMS password
                  • Detaching a disk
                  • Unbinding an EIP
                  +

                  Email address of the user that can be used as a login credential. Users can bind an email address after they are created. This field is required if you have specified Set by user as the access type.

                  Auto Scaling (AS)

                  +

                  Mobile Number

                  Deleting an AS group

                  +

                  Mobile phone number of the user that can be used as a login credential. Users can bind a mobile number after they are created. This field is optional.

                  Storage

                  +

                  Description

                  Object Storage Service (OBS)

                  -
                  • Deleting a bucket
                  • Creating, editing, or deleting a bucket policy
                  • Configuring an object policy
                  • Creating, editing, or deleting a bucket ACL
                  • Configuring access logging
                  • Configuring URL validation
                  • Creating or editing a bucket inventory
                  +

                  Additional information about the user. This field is optional.

                  Elastic Volume Service (EVS)

                  +

                  External Identity ID

                  Deleting an EVS disk

                  -

                  Cloud Backup and Recovery (CBR)

                  -
                  • Deleting a vault
                  • Deleting a backup
                  • Restoring a backup
                  • Deleting a policy
                  • Dissociating a resource
                  • Accepting a backup
                  -

                  Network

                  -

                  Domain Name Service (DNS)

                  -
                  • Modifying, disabling, or deleting a record set
                  -

                  Virtual Private Cloud (VPC)

                  -
                  • Releasing or unbinding an EIP
                  • Deleting a VPC peering connection
                  • Security group operations
                    • Deleting an inbound or outbound rule
                    • Modifying an inbound or outbound rule
                    • Deleting inbound or outbound rules
                    -
                  -

                  Elastic Load Balance (ELB)

                  -
                  • Classic load balancers
                    • Deleting a load balancer
                    • Deleting a listener
                    • Deleting a certificate
                    • Disabling a load balancer
                    -
                  -
                  • Shared load balancers
                    • Deleting a load balancer
                    • Deleting a listener
                    • Deleting a certificate
                    • Removing a backend server
                    • Unbinding an EIP
                    • Unbind a public or private IPv4 address
                    • Unbinding an IPv6 address
                    • Removing from IPv6 shared bandwidth
                    -
                  -

                  Elastic IP (EIP)

                  -
                  • Deleting a shared bandwidth
                  • Releasing or unbinding an EIP
                  • Releasing or unbinding EIPs
                  -

                  Management & Deployment

                  -

                  Identity and Access Management (IAM)

                  -
                  • Disabling operation protection
                  • Disabling login protection
                  • Changing the mobile number
                  • Changing the email address
                  • Changing the login password
                  • Changing the login authentication method
                  • Deleting an IAM user
                  • Disabling an IAM user
                  • Deleting an agency
                  • Deleting a user group
                  • Deleting a policy
                  • Deleting permissions
                  • Creating an access key
                  • Deleting an access key
                  • Disabling an access key
                  • Deleting the project
                  • Modifying the status of access key management
                  -

                  Application

                  -

                  Distributed Cache Service (DCS)

                  -
                  • Resetting the password of a DCS instance
                  • Deleting a DCS instance
                  • Clearing DCS instance data
                  -

                  Database

                  -

                  RDS for MySQL

                  -
                  • Resetting the administrator password
                  • Deleting a DB instance
                  • Deleting a database backup
                  • Switching between primary and standby DB instances
                  • Changing the database port
                  • Deleting a database account
                  • Deleting a database
                  • Unbinding an EIP
                  • Downloading a full backup
                  -

                  Databases

                  -

                  Document Database Service (DDS)

                  -
                  • Resetting the password
                  • Restarting or deleting a DB instance
                  • Restarting a node
                  • Switching the primary and secondary nodes of a replica set
                  • Deleting a security group rule
                  • Enabling IP addresses of shard and config nodes
                  • Restoring the current DB instance from a backup
                  • Restoring an existing DB instance from a backup
                  +

                  Identity of an enterprise user in IAM user SSO.

                  +

                  This parameter (no more than 128 characters) is mandatory for IAM user SSO. For details, see IAM User SSO via SAML
                  +

                5. Specify the access type as Management console access and click Next.

                  +

                  + + + + + + + + + + + + + + + + + + + + + + + +

                  Access Type

                  +

                  Configuration

                  +

                  Description

                  +

                  Management console access

                  +

                  Console Password

                  +

                  Set by user

                  +

                  If you are the administrator setting the password for user Franklin, select this option and enter an email address and a mobile number. User Franklin can then set a password by clicking the one-time login URL sent over email.

                  +

                  Automatically generated

                  +

                  This option is available only when you create a single user.

                  +

                  Set now

                  +

                  Select this option if you are user Franklin. Then, set a password for login.

                  +

                  Login Protection

                  +

                  Enable

                  +

                  If login protection is enabled, user Bob will need to enter a verification code in addition to the username and password during login. Enable this function for account security.

                  +

                  You can choose from SMS-, email-, and virtual MFA–based login verification.

                  +

                  Disable

                  +

                  For this example, disable login protection.

                  +
                  +
                  +

                  Programmatic access: Users can access cloud services using development tools (including APIs, CLI, and SDKs) that support key authentication. This access type is recommended for developers.

                  +
                  +

                6. Click Next. A page is displayed for you to select a user group.
                7. Select the admin user group.
                8. Click Create.
                -
                Parent topic: Security Settings
                +
                Parent topic: Getting Started
                - - \ No newline at end of file diff --git a/docs/iam/umn/iam_08_0003.html b/docs/iam/umn/iam_08_0003.html index 6b76b19c2..17ff303cf 100644 --- a/docs/iam/umn/iam_08_0003.html +++ b/docs/iam/umn/iam_08_0003.html @@ -5,7 +5,7 @@

                Prerequisites

                You have read the documentation of the enterprise IdP or have understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's metadata file and how to upload the metadata file of the cloud platform to the enterprise IdP, see the IdP help documentation.

                Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform

                The metadata file of the cloud platform needs to be configured in the enterprise IdP to establish a trust relationship between the two systems.

                -
                1. Download the metadata file of the cloud platform.

                @@ -45,8 +45,8 @@

              • Click OK.
                • -

                Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

                Configure the metadata file of the enterprise IdP in the cloud platform. You can upload or manually edit metadata configurations in IAM. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

                -

                For details about how to obtain the metadata file, see the help documentation of the enterprise IdP.

                +

                Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

                To configure the metadata file of the enterprise IdP in the cloud platform, you can upload the metadata file or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

                +

                For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.

                • Upload a metadata file.
                  1. Click Modify in the row containing the IdP.
                    Figure 3 Modifying an IdP
                  2. Click Select File and select the metadata file of the enterprise IdP.
                    Figure 4 Uploading a metadata file
                    @@ -128,7 +128,7 @@
              • Modifying an IdP: In the IdP list, click Modify in the row containing the IdP, and then change its status or modify the description, metadata, or identity conversion rules.
              • Deleting an IdP: In the IdP list, click Delete in the row containing the IdP, and click Yes in the displayed dialog box.
                • -

                Follow-Up Procedure

                • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform
                • Configuring identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Step 3: Configure Identity Conversion Rules.
                • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Step 4: Verify the Federated Login.
                +

                Follow-Up Procedure

                • Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                • Configure identity conversion rules: In the Identity Conversion Rules area, configure identity conversion rules to establish a mapping between enterprise users and IAM user groups. In this way, enterprise users can obtain the corresponding permissions in the cloud platform. For details, see Step 3: Configure Identity Conversion Rules.
                • Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO. For details, see Step 4: Verify the Federated Login.
                diff --git a/docs/iam/umn/iam_08_0004.html b/docs/iam/umn/iam_08_0004.html index b36543c98..fc15871c1 100644 --- a/docs/iam/umn/iam_08_0004.html +++ b/docs/iam/umn/iam_08_0004.html @@ -1,14 +1,14 @@

                Step 3: Configure Identity Conversion Rules

                -

                After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user in the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.

                +

                After an enterprise IdP user logs in to the cloud platform, the cloud platform authenticates the identity and assigns permissions to the user based on the identity conversion rules. You can customize identity conversion rules based on your service requirements. If you do not configure identity conversion rules, the username of the federated user on the cloud platform is FederationUser by default, and the federated user can only access the cloud platform by default.

                You can configure the following parameters for federated users:

                • Username: Usernames of federated users in the cloud platform.
                • User permissions: Permissions assigned to federated users in the cloud platform. You need to map the federated users to IAM user groups. In this way, the federated users can obtain the permissions of the user groups to use cloud resources. Ensure that user groups have been created. For details about how to create a user group, see Creating a User Group and Assigning Permissions.
                • Modifications to identity conversion rules will take effect the next time federated users log in.
                • To modify the permissions of a user, modify the permissions of the user group to which the user belongs. Then restart the enterprise IdP for the modifications to take effect.

                Prerequisites

                -

                Procedure

                If you configure identity conversion rules by clicking Create Rule, IAM will convert your specified parameters to the JSON format. Alternatively, you can click Edit Rule to directly configure rules in the JSON format. For details, see Syntax of Identity Conversion Rules.

                +

                Procedure

                If you configure identity conversion rules by clicking Create Rule, IAM will convert your specified parameters to the JSON format. Alternatively, you can click Edit Rule to directly configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.

                • Creating Rules
                  1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                  2. In the IdP list, click Modify in the row containing the IdP.
                  3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                    @@ -22,7 +22,7 @@ - @@ -52,11 +52,11 @@
                    • Username: FederationUser-IdP_admin
                    • User group: admin
                    • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

                      Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

                  4. In the Create Rule dialog box, click OK.
                  5. On the Modify Identity Provider page, click OK.
                    6. -
                  6. Editing Rules
                    1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                    2. In the IdP list, click Modify in the row containing the IdP.
                    3. In the Identity Conversion Rules area, click Edit Rule. Then configure the rules in the Edit Rule dialog box.
                    4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                    5. Click Validate to verify the syntax of the rules.
                    6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                      If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                      +
                    7. Editing Rules
                      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                      2. In the IdP list, click Modify in the row containing the IdP.
                      3. In the Identity Conversion Rules area, click Edit Rule.
                      4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                      5. Click Validate to verify the syntax of the rules.
                      6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                        If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                      8. -

                      Related Operations

                      Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in the JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.

                      +

                      Related Operations

                      Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.

                      diff --git a/docs/iam/umn/iam_08_0005.html b/docs/iam/umn/iam_08_0005.html index 07e0d23c8..0804f648d 100644 --- a/docs/iam/umn/iam_08_0005.html +++ b/docs/iam/umn/iam_08_0005.html @@ -1,13 +1,13 @@

                      (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP

                      -

                      Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.

                      +

                      Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

                      Prerequisites

                      • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
                      • The login entry for logging in to the cloud platform has been configured in the enterprise management system.

                      Procedure

                      1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                      2. Click View in the row containing the IdP.

                        Figure 1 Viewing IdP details

                      3. Copy the login link by clicking in the Login link row.

                        Figure 2 Copying the login link

                      4. Add the following statement to the page file of the enterprise management system:

                        <a href="<Login link>"> Cloud platform login entry </a>
                        -

                      5. Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
                      +

                    8. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
                    diff --git a/docs/iam/umn/iam_08_0007.html b/docs/iam/umn/iam_08_0007.html index 83f3d7fbf..49fbd7e25 100644 --- a/docs/iam/umn/iam_08_0007.html +++ b/docs/iam/umn/iam_08_0007.html @@ -1,13 +1,13 @@

                    (Optional) Step 3: Configure Login Link in the Enterprise Management System

                    -

                    Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.

                    +

                    Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

                    Prerequisites

                    • An IdP entity has been created on the cloud platform. For details about how to create an IdP entity, see Step 1: Create an IdP Entity.
                    • The login entry for logging in to the cloud platform has been configured in the enterprise management system.

                    Procedure

                    1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                    2. Click View in the row containing the IdP.

                      Figure 1 Viewing IdP details

                    3. Copy the login link by clicking in the Login link row.

                      Figure 2 Copying the login link

                    4. Add the following statement to the page file of the enterprise management system:

                      <a href="<Login link>"> Cloud platform login entry </a>
                      -

                    5. Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
                    +

                  7. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.
                    8. diff --git a/docs/iam/umn/iam_08_0008.html b/docs/iam/umn/iam_08_0008.html index e13b16fb9..2c0f408f7 100644 --- a/docs/iam/umn/iam_08_0008.html +++ b/docs/iam/umn/iam_08_0008.html @@ -2,12 +2,12 @@

                    Step 2: Configure Identity Conversion Rules

                    Federated users are named FederationUser by default in the cloud platform. These users can only log in to the cloud platform and they do not have any other permissions. You can configure identity conversion rules on the IAM console to achieve the following:

                    -
                    • Display enterprise management system users with different names in the cloud platform.
                    • Assign permissions to enterprise users to use the cloud platform resources by mapping these users to IAM user groups. Ensure that you have created the required user groups. For details, see Creating a User Group and Assigning Permissions.
                    +
                    • Display enterprise users with different names in the cloud platform.
                    • Assign permissions to enterprise users to use the cloud platform resources by mapping these users to IAM user groups. Ensure that you have created the required user groups. For details, see Creating a User Group and Assigning Permissions.
                    • Modifications to identity conversion rules will take effect only after the federated users log in again.
                    • To modify the permissions of a user, modify the permissions of the user group to which the user belongs. Then restart the enterprise IdP for the modifications to take effect.
                    -

                    Prerequisites

                    An IdP has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP, see Step 1: Create an IdP Entity.)

                    +

                    Prerequisites

                    An IdP entity has been created, and the login link of the IdP is accessible. (For details about how to create and verify an IdP entity, see Step 1: Create an IdP Entity.)

                    -

                    Procedure

                    If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in the JSON format. For details, see Syntax of Identity Conversion Rules.

                    +

                    Procedure

                    If you configure identity conversion rules by clicking Create Rule, IAM converts the rule parameters to the JSON format. Alternatively, you can click Edit Rule to configure rules in JSON format. For details, see Syntax of Identity Conversion Rules.

                    • Creating Rules
                      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                      2. In the IdP list, click Modify in the row containing the IdP.
                      3. In the Identity Conversion Rules area, click Create Rule. Then, configure the rules in the Create Rule dialog box.
                        Figure 1 Setting parameters
                    Table 1 Parameter description

                    Parameter

                    Username of federated users in the cloud platform.

                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS and Shibboleth. XXX indicates a custom name.

                    +

                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

                    NOTICE:
                    • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                    • The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
                    - @@ -51,16 +51,16 @@
                    • Username: FederationUser-IdP_admin
                    • User group: admin
                    • Rule condition: _NAMEID_ (attribute), any_one_of (condition), and 000000001 (value).

                      Only the user with ID 000000001 is mapped to IAM user FederationUser-IdP_admin and inherits permissions from the admin user group.

                  8. In the Create Rule dialog box, click OK.
                  9. On the Modify Identity Provider page, click OK.
                    10. -
                  10. Editing Rules
                    1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                    2. In the IdP list, click Modify in the row containing the IdP.
                    3. In the Identity Conversion Rules area, click Edit Rule. Then configure the rules in the Edit Rule dialog box.
                    4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                    5. Click Validate to verify the syntax of the rules.
                    6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                      If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                      +
                    7. Editing Rules
                      1. Log in to the IAM console as the administrator. In the navigation pane, choose Identity Providers.
                      2. In the IdP list, click Modify in the row containing the IdP.
                      3. In the Identity Conversion Rules area, click Edit Rule.
                      4. Edit the identity conversion rules in JSON format. For details, see Syntax of Identity Conversion Rules.
                      5. Click Validate to verify the syntax of the rules.
                      6. If the rule is correct, click OK in the Edit Rule dialog box, and click OK on the Modify Identity Provider page.

                        If a message indicating that the JSON file is incomplete is displayed, modify the statements or click Cancel to cancel the modifications.

                      8. Verifying Federated User Permissions

                      After configuring identity conversion rules, verify the permissions of federated users.

                      -
                      1. Log in as a federated user.

                        On the Identity Providers page of the console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                        -

                      2. Check that the federated user has the permissions assigned to their user group.

                        For example, an identity conversion rule has defined full permissions for all cloud services for federated user ID1 in the admin user group. On the management console, select a cloud service, and check if you can access the service.

                        +
                        1. Log in as a federated user.

                          On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                          +

                        2. Check that the federated user has the permissions assigned to their user group.

                          For example, configure an identity conversion rule to map federated user ID1 to the admin user group so that ID1 will have full permissions for all cloud services. On the management console, select a cloud service, and check if you can access the service.

                      -

                      Related Operations

                      Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in the JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.

                      +

                      Related Operations

                      Viewing identity conversion rules: Click View Rule on the Modify Identity Provider page. The identity conversion rules are displayed in JSON format. For details about the JSON format, see Syntax of Identity Conversion Rules.

                      diff --git a/docs/iam/umn/iam_08_0009.html b/docs/iam/umn/iam_08_0009.html index a311b3038..6d3de86e1 100644 --- a/docs/iam/umn/iam_08_0009.html +++ b/docs/iam/umn/iam_08_0009.html @@ -2,19 +2,19 @@

                      Step 1: Create an IdP Entity

                      To establish a trust relationship between an enterprise IdP and the cloud platform, set the user redirect URLs and create OAuth 2.0 credentials in the enterprise IdP. On the IAM console, create an IdP entity and configure authorization information.

                      -

                      Prerequisites

                      • The enterprise administrator has created an account in the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
                      • The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain the enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.
                      +

                      Prerequisites

                      • The enterprise administrator has created an account in the cloud platform, and has created user groups and assigned them permissions in IAM. For details, see Creating a User Group and Assigning Permissions. The user groups created in IAM will be mapped to federated users so that the federated users can obtain the permissions of the user groups to use cloud resources.
                      • The enterprise administrator has read the help documentation of the enterprise IdP or has understood how to use the enterprise IdP. Configurations of different enterprise IdPs differ greatly, so they are not described in this document. For details about how to obtain an enterprise IdP's OAuth 2.0 credentials, see the IdP help documentation.

                      Creating OAuth 2.0 Credentials in the Enterprise IdP

                      1. Set redirect URLs https:///authui/oidc/redirect and https:///authui/oidc/post in the enterprise IdP so that users can be redirected to the OpenID Connect IdP in the cloud platform.
                      2. Obtain OAuth 2.0 credentials of the enterprise IdP.

                      Creating an IdP Entity on the Cloud Platform

                      Create an IdP entity and configure authorization information in IAM to establish a trust relationship between the enterprise IdP and IAM

                      1. Log in to the IAM console, choose Identity Providers from the navigation pane, and click Create Identity Provider in the upper right corner.

                        Figure 1 Creating an IdP entity

                      2. Enter an IdP name, select OpenID Connect and Enabled, and click OK.

                        Figure 2 Setting IdP parameters
                        -

                        The IdP name must be unique under your account.

                        +

                        The IdP name must be unique under your account. You are advised to use the domain name.

                      Configuring Authorization Information in the Cloud Platform

                      1. Click Modify in the Operation column of the row containing the IdP you want to modify.

                        Figure 3 Modifying an IdP
                        -

                      2. Select an access type.

                        Figure 4 Access type description
                        +

                      3. Select an access type.

                        Figure 4 Access type
                    11. Table 1 Parameter description

                    Parameter

                    @@ -22,7 +22,7 @@

                    Username of federated users in the cloud platform.

                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS and Shibboleth. XXX indicates a custom name.

                    +

                    To distinguish federated users from users in the cloud platform, it is recommended that you set the username to FederationUser-IdP_XXX. IdP indicates an IdP name, for example, AD FS or Shibboleth. XXX indicates a custom name.

                    NOTICE:
                    • The username of each federated user must be unique in the same IdP. Federated users with the same usernames in the same IdP will be mapped to the same IAM user in the cloud platform.
                    • The username can only contain letters, digits, spaces, hyphens (-), underscores (_), and periods (.). It cannot start with a digit and cannot contain the following special characters: ", \", \\, \n, \r
                    @@ -46,7 +46,7 @@ @@ -58,7 +58,7 @@ - @@ -96,7 +96,7 @@

                    Verifying the Federated Login

                    1. Click the login link displayed on the IdP details page and check if the login page of the enterprise IdP server is displayed.

                      1. On the Identity Providers page, click Modify in the Operation column of the identity provider.
                      2. Copy the login link displayed on the Modify Identity Provider page and visit the link using a browser.
                        Figure 5 Copying the login link
                      3. If the enterprise IdP login page is not displayed, check the configurations of the IdP and the enterprise IdP server.

                    2. Enter the username and password of a user that was created in the enterprise management system.

                      • If the login is successful, add the login link to the enterprise management system.
                      • If the login fails, check the username and password.
                      -

                      Federated users only have read permissions for the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Step 2: Configure Identity Conversion Rules.

                      +

                      Federated users can only access the cloud platform by default. To assign permissions to federated users, configure identity conversion rules for the IdP. For details, see Step 2: Configure Identity Conversion Rules.

                    diff --git a/docs/iam/umn/iam_08_0010.html b/docs/iam/umn/iam_08_0010.html index 0ba3b5530..5edb05d16 100644 --- a/docs/iam/umn/iam_08_0010.html +++ b/docs/iam/umn/iam_08_0010.html @@ -6,12 +6,12 @@

                    Overview of Virtual User SSO via OpenID Connect

                    This section describes how to configure identity federation and how identity federation works.

                    Configuring Identity Federation

                    The following describes how to configure your enterprise IdP and the cloud platform to trust each other.

                    -
                    1. Create an IdP entity and establish a trust relationship: Create OAuth 2.0 credentials in the enterprise IdP. In the cloud platform, create an IdP entity and establish a trust relationship between the two systems.
                    2. Configure identity conversion rules: Configure identity conversion rules in the cloud platform to the users, user groups, and permissions in the enterprise IdP to the cloud platform.
                    3. Configure a login link: Configure a login link to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                    +
                    1. Create an IdP entity and establish a trust relationship: Create OAuth 2.0 credentials in the enterprise IdP. In the cloud platform, create an IdP entity and establish a trust relationship between the two systems.
                    2. Configure identity conversion rules: Configure identity conversion rules in the cloud platform to map the users, user groups, and permissions in the enterprise IdP to the cloud platform.
                    3. Configure a federated login entry: Configure the login link in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.

                    How Identity Federation Works

                    Figure 1 shows the identity federation process between an enterprise management system and the cloud platform.

                    Figure 1 How identity federation works

                    The process of identity federation is as follows:

                    -
                    1. A user opens the login link obtained from the IAM console in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the configuration of the enterprise IdP and constructs an OpenID Connect request to the browser.
                    3. The browser forwards the OpenID Connect request to the enterprise IdP.
                    4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
                    5. The browser responds and forwards the OpenID Connect response to the cloud platform.
                    6. The cloud platform parses the ID token in the OpenID Connect response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The user logs in to the cloud platform through SSO.
                    +
                    1. A user opens the login link obtained from the IAM console in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the configuration of the enterprise IdP and constructs an OpenID Connect request to the browser.
                    3. The browser forwards the OpenID Connect request to the enterprise IdP.
                    4. The user enters their username and password on the login page displayed in the enterprise IdP. After the enterprise IdP authenticates the user's identity, it constructs an ID token containing the user information, and sends the ID token to the browser as an OpenID Connect authorization response.
                    5. The browser responds and forwards the OpenID Connect response to the cloud platform.
                    6. The cloud platform parses the ID token in the OpenID Connect response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The SSO login is successful.
                    diff --git a/docs/iam/umn/iam_08_0021.html b/docs/iam/umn/iam_08_0021.html index 07a579a67..5d4494aae 100644 --- a/docs/iam/umn/iam_08_0021.html +++ b/docs/iam/umn/iam_08_0021.html @@ -11,7 +11,7 @@
                    Figure 1 Configuration of virtual user SSO via SAML
                    1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                      Figure 2 Exchanging metadata files
                    2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                    3. Configure identity conversion rules: Configure identity conversion rules to determine the IdP user identities and permissions on the cloud platform.
                      Figure 3 Mapping external identities to virtual users
                      -
                    4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                    5. (Optional) Configure a login link: Configure a login link (see Figure 4) to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                      Figure 4 SSO login model
                      +
                    6. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                    7. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                      Figure 4 SSO login model

                    How Identity Federation Works

                    Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.

                    @@ -19,7 +19,7 @@

                    To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.

                    As shown in Figure 5, the process of identity federation is as follows:

                    -
                    1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
                    3. The browser forwards the SAML request to the enterprise IdP.
                    4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
                    5. The browser responds and forwards the SAML response to the cloud platform.
                    6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The user logs in to the cloud platform through SSO.

                      The assertion must carry a signature; otherwise, the login will fail.

                      +
                      1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
                      2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
                      3. The browser forwards the SAML request to the enterprise IdP.
                      4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
                      5. The browser responds and forwards the SAML response to the cloud platform.
                      6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                      7. The SSO login is successful.

                        The assertion must carry a signature; otherwise, the login will fail.

                      diff --git a/docs/iam/umn/iam_08_0025.html b/docs/iam/umn/iam_08_0025.html index f232cf75b..f9641cff7 100644 --- a/docs/iam/umn/iam_08_0025.html +++ b/docs/iam/umn/iam_08_0025.html @@ -7,14 +7,14 @@

                      Verifying the Federated Login

                      Federated users can initiate a login from the IdP or SP.

                      • Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
                      • Initiating a login from the SP. You can obtain the login link from the IdP details page on the IAM console.

                      The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.

                      -
                      1. Log in as a federated user.

                        On the Identity Providers page of the console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                        +
                        1. Log in as a federated user.

                          On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                          Figure 1 Login link

                        2. Check that the federated user has the permissions assigned to their user group.

                      Redirecting to a Specified Region or Service

                      You can specify the target page which the federated user will be redirected to after login.

                      • Configuring the login link on the SP

                        Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.

                        -
                      • Configuring the login link on the IdP

                        Configure the IAM_SAML_Attributes_redirect_url assertion (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                        +
                      • Configuring the login link on the IdP

                        Configure IAM_SAML_Attributes_redirect_url (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                      diff --git a/docs/iam/umn/iam_08_0251.html b/docs/iam/umn/iam_08_0251.html index a14a73fb5..a825c0116 100644 --- a/docs/iam/umn/iam_08_0251.html +++ b/docs/iam/umn/iam_08_0251.html @@ -7,12 +7,12 @@

                      IAM supports two SSO types: virtual user SSO and IAM user SSO. This section describes the two SSO types and their differences, helping you to choose an appropriate type for your business.

                      Virtual User SSO

                      After a federated user logs in to the cloud platform, the system automatically creates a virtual user and assigns permissions to the user based on identity conversion rules. Virtual user SSO is recommended if:

                      -
                      • To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
                      • You want to separate permissions on the cloud platform based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
                      • Your enterprise has branches and each branch has multiple enterprise IdPs. These IdPs need to access the same cloud account. You need to configure multiple IdPs in the cloud platform for identity federation.
                      +
                      • To reduce management costs, you do not want to create and manage IAM users on the cloud platform.
                      • You want to assign permissions for cloud resources based on the user groups or attributes in your local enterprise IdP. Permission changes in the local enterprise IdP can be synchronized to the cloud platform by adjusting the user groups or attributes locally.
                      • Your enterprise has branches and may require multiple enterprise IdPs. These IdPs need to access the same cloud account. You need to configure multiple IdPs in the cloud platform for identity federation.

                      IAM User SSO

                      After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. IAM user SSO is recommended if:

                      -
                      • Your cloud products do not support virtual user SSO.
                      • You do not need virtual user SSO and want to simplify the IdP configuration.
                      -

                      Differences Between Virtual User SSO and IAM User SSO

                      They differences between virtual user SSO and IAM user SSO are described as follows:

                      -

                      1. Identity conversion mode: Virtual user SSO uses identity conversion rules to convert the identities of IdP users and IAM users. IAM user SSO uses the external identity ID for identity conversion. The IAM_SAML_Attributes_xUserId value of the IdP user is the same as the external identity ID of the IAM user. The IdP user is mapped to the corresponding IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.

                      +
                      • The cloud products you use do not support virtual user SSO.
                      • You do not need virtual user SSO and want to simplify the IdP configuration.
                      +

                      Differences Between Virtual User SSO and IAM User SSO

                      The differences between virtual user SSO and IAM user SSO are described as follows:

                      +

                      1. Identity conversion: Virtual user SSO uses identity conversion rules while IAM user SSO uses external identity IDs for identity conversion. An IdP user will be mapped to an IAM user if the IAM_SAML_Attributes_xUserId value of the IdP user is the same as the external identity ID of the IAM user. When you use IAM user SSO, make sure that you have set IAM_SAML_Attributes_xUserId in the IdP and External Identity ID in the SP to the same value.

                      2. User identity in IAM: In virtual user SSO, the IdP user does not have a corresponding IAM user in the IAM user list. After the IdP user logs in, the system automatically creates a virtual user for it. In IAM user SSO, the IdP user has a IAM user mapped by external identity ID on the IAM console.

                      3. Permissions assignment in IAM: In virtual user SSO, the permissions of the IdP user are defined by the identity conversion rule. In IAM user SSO, the IdP user inherits the permissions of the user group which the mapped IAM user belongs to.

                      diff --git a/docs/iam/umn/iam_08_0252.html b/docs/iam/umn/iam_08_0252.html index 6d632f035..002110a25 100644 --- a/docs/iam/umn/iam_08_0252.html +++ b/docs/iam/umn/iam_08_0252.html @@ -5,8 +5,8 @@

                      Step 2: Configure the Enterprise IdP

                      You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information and identity conversion rules.

                      -

                      Common parameters in enterprise IdP

                      -
                    Table 1 Access type description

                    Access Type

                    Identity Provider URL

                    URL of the OpenID Connect IdP.

                    -

                    Specify this parameter as the value of issuer in the Openid-configuration.

                    +

                    Set it to the value of issuer in the Openid-configuration.

                    NOTE:

                    Openid-configuration indicates a URL defined in OpenID Connect, containing configurations of an enterprise IdP. The URL format is https://{base URL}/.well-known/openid-configuration, where base URL is defined by the enterprise IdP. For example, the Openid-configuration of Google is https://accounts.google.com/.well-known/openid-configuration.

                    Authorization Endpoint

                    Authorization endpoint of the OpenID Connect IdP. Specify this parameter as the value of authorization_endpoint in Openid-configuration.

                    +

                    Authorization endpoint of the OpenID Connect IdP. Set it to the value of authorization_endpoint in Openid-configuration.

                    This parameter is required only if you set Access Type to Programmatic access and management console access.
                    Table 1 Common parameters in enterprise IdP

                    Parameter

                    +

                    Common Parameters in an Enterprise IdP

                    +
                    @@ -23,7 +23,7 @@ -
                    Table 1 Common parameters in an enterprise IdP

                    Parameter

                    Description

                    IAM_SAML_Attributes_xUserId

                    ID of an enterprise IdP user (federated user).

                    +

                    ID of an enterprise IdP user (federated user)

                    This parameter is mandatory when the SSO type is IAM user.

                    Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.

                    diff --git a/docs/iam/umn/iam_08_0254.html b/docs/iam/umn/iam_08_0254.html index 200b36ca8..31488b0c9 100644 --- a/docs/iam/umn/iam_08_0254.html +++ b/docs/iam/umn/iam_08_0254.html @@ -12,14 +12,14 @@
                    Figure 1 Configuration of IAM user SSO via SAML
                    1. Create an IdP entity and establish a trust relationship: Create an IdP entity for your enterprise on the cloud platform. Then, upload the cloud platform metadata file to the enterprise IdP, and upload the metadata file of the enterprise IdP to the cloud platform.
                      Figure 2 Exchanging metadata files
                    2. Configure the enterprise IdP: Configure enterprise IdP parameters to determine what information can be sent to the cloud platform.
                    3. Configure an external identity ID on IAM: Establish a mapping between an IAM user and an enterprise user. When your enterprise IdP establishes SSO access to the cloud platform, the enterprise user can log in to the cloud platform as the IAM user with the specified external identity ID. For example, if an enterprise user IdP_Test_User is mapped to the IAM user Alice, the enterprise user IdP_Test_User will log in to the cloud platform as the IAM user Alice.
                      Figure 3 Mapping external identities to IAM users
                      -
                    4. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                    5. (Optional) Configure a login link: Configure a login link (see Figure 4) to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                      Figure 4 SSO login model
                      +
                    6. Verify the federated login: Check whether the enterprise user can log in to the cloud platform through SSO.
                    7. (Optional) Configure a federated login entry: Configure the login link (see Figure 4) in the enterprise IdP to allow enterprise users to be redirected to the cloud platform from your enterprise management system.
                      Figure 4 SSO login model

                    How Identity Federation Works

                    Figure 5 shows the identity federation process between an enterprise management system and the cloud platform.

                    Figure 5 How identity federation works

                    To view interactive requests and assertions with a better experience, you are advised to use Google Chrome and install SAML Message Decoder.

                    -
                    As shown in Figure 5, the process of identity federation is as follows:
                    1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
                    3. The browser forwards the SAML request to the enterprise IdP.
                    4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
                    5. The browser responds and forwards the SAML response to the cloud platform.
                    6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The user logs in to the cloud platform through SSO.
                    +
                    As shown in Figure 5, the process of identity federation is as follows:
                    1. A user opens the login link generated after the IdP creation in the browser. The browser sends an SSO request to the cloud platform.
                    2. The cloud platform authenticates the user against the metadata file of the enterprise IdP and constructs a SAML request to the browser.
                    3. The browser forwards the SAML request to the enterprise IdP.
                    4. The user enters their username and password on the login page. After the enterprise IdP authenticates the user's identity, it constructs a SAML assertion containing the user details and sends the assertion to the browser as a SAML response.
                    5. The browser responds and forwards the SAML response to the cloud platform.
                    6. The cloud platform parses the assertion in the SAML response, identifies the IAM user group mapping to the user based on the identity conversion rules, and issues a token to the user.
                    7. The SSO login is successful.

                    The assertion must carry a signature; otherwise, the login will fail.

                    diff --git a/docs/iam/umn/iam_08_0255.html b/docs/iam/umn/iam_08_0255.html index d028b1ea8..ecaca5369 100644 --- a/docs/iam/umn/iam_08_0255.html +++ b/docs/iam/umn/iam_08_0255.html @@ -6,7 +6,7 @@

                    Step 1: Create an IdP Entity

                    To establish a trust relationship between an enterprise IdP and the cloud platform, upload the metadata file of the cloud platform to the enterprise IdP, and then create an IdP entity and upload the metadata file of the enterprise IdP on the IAM console.

                    Establishing a Trust Relationship Between the Enterprise IdP and the Cloud Platform

                    Configure the metadata file of the cloud platform on the enterprise IdP to establish a trust.

                    -
                    1. Download the metadata file of the cloud platform.

                    @@ -33,7 +33,7 @@

                    SSO Type

                    IdP type. An account can have only one type of IdP. The following describes the IAM user type.

                    -

                    IAM user SSO: After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. An account can have only one IdP of the IAM user type. If you select the IAM user type, ensure that you have created an IAM user and set the external identity ID. For details, see Creating an IAM User.

                    +

                    IAM user SSO: After a federated user logs in to the cloud platform, the system automatically maps the external identity ID to an IAM user so that the federated user has the permissions of the mapped IAM user. An account can have only one IdP of the IAM user type. If you select the IAM user SSO, ensure that you have created an IAM user and set the external identity ID. For details, see Creating a User.

                    Status

                    @@ -46,8 +46,8 @@

                  11. Click OK.
                    12. -

                    Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

                    You can upload or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

                    -

                    For details about how to obtain the metadata file of the enterprise IdP, see the help documentation of the enterprise IdP.

                    +

                    Configuring the Metadata File of the Enterprise IdP on the Cloud Platform

                    You can upload the metadata file or manually edit metadata on the IAM console. For a metadata file larger than 500 KB, manually configure the metadata. If the metadata has been changed, upload the latest metadata file or edit the existing metadata to ensure that the federated users can log in to the cloud platform successfully.

                    +

                    For details about how to obtain the metadata file of an enterprise IdP, see the help documentation of the enterprise IdP.

                    • Upload a metadata file.
                      1. Click Modify in the row containing the IdP.
                        Figure 3 Modifying an IdP
                      2. Click Select File and select the metadata file of the enterprise IdP.
                        Figure 4 Uploading a metadata file
                        diff --git a/docs/iam/umn/iam_08_0256.html b/docs/iam/umn/iam_08_0256.html index 761fcc262..1a496c83b 100644 --- a/docs/iam/umn/iam_08_0256.html +++ b/docs/iam/umn/iam_08_0256.html @@ -7,8 +7,8 @@

                        You can configure parameters in the enterprise IdP to determine what information will be sent to the cloud platform. The cloud platform authenticates the federated identity and assigns permissions based on the received information.

                        If the SSO type is IAM user, the enterprise IdP must have the IAM_SAML_Attributes_xUserId assertion configured.

                        -

                        Common Parameters in Enterprise IdP

                        -
                        Table 1 Common parameters in enterprise IdP

                        Parameter

                        +

                        Common Parameters in an Enterprise IdP

                        +
                        @@ -18,7 +18,7 @@ -
                        Table 1 Common parameters in an enterprise IdP

                        Parameter

                        Description

                        IAM_SAML_Attributes_xUserId

                        ID of an enterprise IdP user (federated user).

                        +

                        ID of an enterprise IdP user (federated user)

                        This parameter is mandatory when the SSO type is IAM user.

                        Each federated user is mapped to an IAM user. The IAM_SAML_Attributes_xUserId of the federated user is the same as the external identity ID of the corresponding IAM user.

                        diff --git a/docs/iam/umn/iam_08_0258.html b/docs/iam/umn/iam_08_0258.html index 3a5be85d7..c4c312054 100644 --- a/docs/iam/umn/iam_08_0258.html +++ b/docs/iam/umn/iam_08_0258.html @@ -7,14 +7,14 @@

                        Verifying the Federated Login

                        Federated users can initiate a login from the IdP or SP.

                        • Initiating a login from an IdP, for example, Microsoft Active Directory Federation Services (AD FS) or Shibboleth.
                        • Initiating a login from the SP (the cloud platform). You can obtain the login link from the IdP details page on the IAM console.

                        The IdP-initiated login method depends on the IdP. For details, see the IdP help documentation. This section describes how to initiate a login from the SP.

                        -
                        1. Log in as a federated user.

                          On the Identity Providers page of the console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                          +
                          1. Log in as a federated user.

                            On the Identity Providers page of the IAM console, click View in the row containing the IdP. Click to copy the login link displayed in the Basic Information area, open the link using a browser, and then enter the username and password used in the enterprise management system.

                            Figure 1 Login link

                          2. Check whether the federated user is logging in as an IAM user.

                        Redirecting to a Specified Region or Service

                        You can specify the target page which the federated user will be redirected to after login.

                        • Configuring the login link on the SP

                          Combine the login link obtained from the console with the specified URL using the format Login link&service=Specified URL.

                          -
                        • Configuring the login link on the IdP

                          Configure the IAM_SAML_Attributes_redirect_url assertion (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                          +
                        • Configuring the login link on the IdP

                          Configure IAM_SAML_Attributes_redirect_url (the URL to be redirected to) in the SAML assertion of the enterprise IdP.

                        diff --git a/docs/iam/umn/iam_08_0259.html b/docs/iam/umn/iam_08_0259.html index 44be1bd18..55b1de5be 100644 --- a/docs/iam/umn/iam_08_0259.html +++ b/docs/iam/umn/iam_08_0259.html @@ -4,13 +4,13 @@

                        (Optional) Step 5: Configure a Federated Login Entry in the Enterprise IdP

                        -

                        Configure a federated login entry in the enterprise IdP to enable enterprise users use the login link to access the cloud platform.

                        +

                        Configure a federated login entry in the enterprise IdP so that enterprise users can use the login link to access the cloud platform.

                        Prerequisites

                        • An IdP entity has been created on the cloud platform, and the login link for the IdP is available. For details, see Step 1: Create an IdP Entity.
                        • The login entry for logging in to the cloud platform has been configured in the enterprise management system.

                        Procedure

                        1. Log in to the IAM console. In the navigation pane, choose Identity Providers.
                        2. Click View in the row containing the IdP.

                          Figure 1 Viewing IdP details

                        3. Copy the login link by clicking in the Login link row.

                          Figure 2 Copying the login link

                        4. Add the following statement to the page file of the enterprise management system:

                          <a href="<Login link>"> Cloud platform login entry </a>
                          -

                        5. Log in to the enterprise management system as an enterprise user, and click the configured login link to access the cloud platform.
                        +

                      3. Log in to the enterprise management system using your enterprise account, and click the configured login link to access the cloud platform.